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Abstract. Often an attacker tries to 
disconnect a network by destroying 
nodes or edges, while the defender 
counters using various resilience 
mechanisms. Examples include a music 
industry body attempting to close down 
a peer-to-peer file-sharing network; 
medics attempting to halt the spread of 
an infectious disease by selective 
vaccination; and a police agency trying 
to decapitate a terrorist organisation. 
Albert, Jeong and Barabasi famously 
analysed the static case, and showed 
that vertex 

-order attacks are effective against 
scale-free networks. We extend this work 
to the dynamic case by developing a 
framework based on evolutionary game 
theory to explore the interaction of 
attack and defence strategies. We show, 
first, that naive defences don't work 
against vertex-order attack; second, that 
defences based on simple redundancy 
don't work much better, but that 
defences based on cliques work well; 
third, that attacks based on centrality 
work better against clique defences than 
vertex-order attacks do; and fourth, that 
defences based on complex strategies 
such as delegation plus clique resist 
centrality attacks better than simple 
clique defences. Our models thus build a 
bridge between network analysis and 
evolutionary game theory, and provide a 
framework for analysing defence and 
attack in networks where topology 
matters. They suggest definitions of 
efficiency of attack and defence, and may 
even explain the evolution of insurgent 
organisations from networks of cells to a 
more virtual leadership that facilitates 
operations rather than directing them. 
Finally, we draw some conclusions and 
present possible directions for future 
research. 



1 Introduction 

Many modern conflicts turn on connectivity. 
In conventional war, much effort is expended 
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on disrupting the other side's command, 
control and communications by jamming or 
destroying his facilities. Counterterrorism 
operations involve a similar effort but with 
different tools: traffic analysis to trace 
communications, coupled with surveillance of 
the flows of money, material and recruits, 
followed by the arrest and interrogation of 
individuals who appear to be significant 
nodes. Terrorists are aware of this, and take 
measures to prevent their networks being 
traced. Usama bin Laden described his 
strategy on the videotape captured in 
Afghanistan as 'Those who were trained to fly 
didn't know the others. One group of people 
didn't know the other group' (see |T1], which 
describes the hijackers' networks). 

Connectivity matters for social dominance 
too, handful of leading individuals do much 
of the work of holding a society together. Sub- 
verting or killing these leaders is likely to be 
the cheapest way to make an invaded coun- 
try submit. When the Norman French invaded 
England in the eleventh century, they killed or 
impoverished most of the indigenous landown- 
ers; when the Turks, and then the Mongols, in- 
vaded India, they killed both landowners and 
priests; when England suppressed the Scottish 
highlands after the 1745 uprising, landowners 
were induced to move to Edinburgh or London; 
and in many of the dreadful events of the last 
century, rulers targeted the elite (Russian ku- 
laks, Polish officers, Tutsi schoolteachers, . . . ). 

Moving from politics to commerce, the mu- 
sic industry spends a lot of money attempting 
to disrupt peer-to-peer file-sharing networks. 
Techniques range from technical attacks to ag- 
gressive litigation against individuals believed 
to have been running major nodes. 

Networks of personal contacts are 
important in other applications too. In public 



health, for example, it often happens that a 
small number of individuals account for much 
of the transmission of a disease. Thus Senegal 
has been more effective at tackling the spread 
of HIV/AIDS than other African countries, as 
they targeted prostitutes jTS]. In fact, interest 
in social networks has grown greatly over the 
last 15 years in the humanities and social 
sciences |2UI9| . 

Recent advances in the theory of networks 
have provided us with the mathematical and 
computational tools to understand such 
phenomena better. One striking result is that 
a network much of whose connectivity comes 
from a small number of highly-connected 
nodes can be very efficient, but at the cost of 
extreme vulnerability. As a simple example, if 
everyone in the county communicates using 
one telephone exchange, and that burns down, 
then everyone is isolated. 

This paper starts to explore the tactical 
and strategic options open to combatants in 
such conflicts. What strategies can one adopt, 
when building a network, to provide good 
trade-offs between efficiency and resilience? 
We are particularly interested in complex 
networks, involving thousands or millions of 
nodes, which are so complicated (or under 
such dispersed control) that the resilience 
rules can only be implemented locally, rather 
than by a central planner who deliberately 
designs a network with multiple redundant 
backbones. 

Is it possible, for example, to create a 
virtual high-degree node, by combining a 
number of nodes which appear on external 
inspection to have lower degree? For example, 
a number of individuals might join together in 
a ring, and use some covert communications 
channel to route sensitive information round 
the ring in a manner shielded from casual 
external inspection. There is a loose precedent 
in Chaum's 'dining cryptographers' 
construction ^Uj, in which a number of 
cryptographers pass messages round a ring in 
such a way as to mask, from insiders, the 
source and destination of encrypted traffic. 
Can we build a similar construction, but in 
which the fact of systematic message routing 



is concealed from outsiders, with the result 
that the participants appear to be 'ordinary' 
nodes making a modest contribution in the 
network, rather than important nodes that 
should be targeted for close inspection and/or 
destruction? 

2 Previous Work 

There has been rapid progress in recent years 
in understanding how networks can develop 
organically, how their growth influences their 
topology, and how the topology in turn affects 
both their capacity and their robustness. 
There is now a substantial literature: for a 
book- length introduction, see Watts |21| . 
while literature surveys are jlll7j 

Early work by Erdos and Renyi modelled 
networks as random graphs jlll7j : this is 
mathematically interesting but does not 
model most real-world networks accurately. In 
real networks, path lengths are generally 
shorter; it is well known that any two people 
are linked by a chain of maybe half a dozen 
others who are pairwise acquainted - known 
as the 'small-world' phenomenon. This idea 
was popularised by Milgram in the 60s 
An explanation started to emerge in 1998 
when Watts and Strogatz produced the alpha 
model. Alpha is a parameter that expresses 
the tendency of nodes to introduce their 
neighbours to each other; with a = 0, each 
node is connected to its neighbours' 
neighbours, so the network is a set of 
disconnected cliques, while with a = oo, we 
have a random graph. They discovered that, 
for critical values of a, a small- world network 
resulted. The alpha model is rather complex 
to analyse, so they next introduced the beta 
network: this is constructed by arranging 
nodes in a ring, each node being connected to 
its r neighbours on either side, then replacing 
existing links with random links according to 
a parameter j3; for (3 = no links are replaced, 
and for /3 = 1 all links have been replaced, so 
that the network has again become a random 
graph [22] • The effect is to provide a mix of 
local and long-distance links that models 
observed phenomena in social and other 
networks. 
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How do networks with short path lengths 
come about in the real world? The simplest 
explanation involves preferential attachment. 
Barabasi and Albert showed in 1999 how, if 
new nodes in a network prefer to attach to 
nodes that already have many edges, this 
leads to a power-law distribution of vertex 
order which in turn gives rise to a scale-free 
network jHj, which turns out to be a more 
common type of network than the alpha or 
beta types. In a social network, for example, 
people who already have many friends are 
useful to know, so their friendship is 
particularly sought by newcomers. In 
friendship terms, the rich get richer. There are 
many economic contexts in which such 
dynamics are also of interest |13) . 

The key paper for our purposes was written 
by Albert, Jeong, and Barabasi in 2000. They 
observed that the connectivity of scale-free net- 
works, which depends on the highly-connected 
nodes, comes at a price: the destruction of these 
nodes will disconnect the network. If an at- 
tacker removes the best-connected nodes one 
after another, then past some threshold point 
the size of the largest component of the graph 
collapses 

Later work by Holme, Kim, Yoon and Han 
in 2002 extended this from attacks on vertices 
to attacks on edges; here, the attacker removes 
edges connecting high-degree nodes, and again, 
past some critical point, the network becomes 
disconnected jT3]. They also suggested using 
centrality - technically, this is the 'betweenness 
centrality' of Freeman ^2] ~ as an alternative 
to degree for attack targeting. (A node's cen- 
trality is, roughly speaking, the proportion of 
paths on which it lies.) Computing centrality 
is harder work for the attacker than observing 
vertex degree, but it enables him to attack net- 
works (such as beta networks) where there is 
little or no variability in vertex order. Finally, 
in 2004, Zhao, Park and Lai modelled the cir- 
cumstances in which a scale-free network can 
suffer cascading breakdown from the successive 
failure of high-connectivity nodes [2S]. These 
ideas find some resonance in the field of strate- 
gic studies: for example, Soviet doctrine called 
for destroying a third of the enemy's network, 



jamming a further third, and hoping that the 
remaining third would collapse under the in- 
creased weight of traffic. 

3 Naive Defences Don't Work 

Given the obvious importance of the subject, 
and the fact that the Albert-Jeong-Barabasi 
paper appeared in 2000, one obvious question 
is why there has been no published work since 
on how a network can defend itself against a 
decapitation attack. Here is one possible expla- 
nation: the two obvious defences don't work. 

One of these is simply to replenish 
destroyed nodes with new nodes, and furnish 
them with edges according to the same 
scale-free rule that was used to generate the 
network initially. One might hope that some 
equilibrium would be found between attack 
and defence. 

The other obvious defence is to replenish 
destroyed nodes, but to wire their edges 
according to a random graph model. In this 
way, we might hope that, under attack, a 
network would evolve from an efficient 
scale-free structure into a less efficient but 
more resilient random structure. In a real 
application, this might happen either as a 
result of nodes learning new behaviour, or by 
selective pressure on a node population with 
heterogeneous connectivity preferences: in 
peacetime the nodes with higher degree would 
become hubs, while in wartime they would be 
early casualties. 

Nice as these ideas may seem in theory, 
they do not work at all well in practice. 
Figure ^ shows first (solid line) how the 
vertex-order attack of Albert, Jeong and 
Barabasi works against a simulated 
network with no replenishment, then with 
random replenishment, then with scalefree 
replenishment. In the vanilla case the attack 
takes two rounds to disconnect the network; 
with random replenishment it takes three, and 
with scale-free replenishment it takes four. 

It seems that, to defend against these 
kinds of decapitation attacks on networks, we 
will need smarter defence strategies. But how 
should these be evolved, and what sort of 
framework should we use to evaluate them? 



3 



Vertex-order attack 
with naive replenishment 



o 



No replenishment 

Random replenishment 
Scalefree replenishment 



°o 



. mOO" o 

o 



\ °o S «o 8 8o 8 88o88o06 o§Soo'! 

"OOOOOOOOOOOOOOOOOOOOOOOOOOC 



10 



15 



Rounds 



20 



25 



30 



No-replenishment 

Random-replenishment 

Scalcfree-rcplcnishment 



Fig. 1. Naive defences against vertex-order de- 
capitation attack 



4 A Model from Evolutionary Game 
Theory 

Previous researchers considered disruptive at- 
tacks on networks to be a single-round game. 
Such a model is suitable for applications such 
as a conventional war, in which the attacker has 
to expend a certain amount of effort to destroy 
the defender's command, control and communi- 
cations, and one wishes to estimate how much; 
or a single epidemic in which a certain amount 
of resource must be spent to bring the disease 
under control. 

However, there are many applications in 
which attack and defense evolve through 
multiple rounds: terrorism and music-sharing 
are only two examples. We now develop a 
framework for considering this more general 
case. We apply ideas from evolutionary game 
theory developed by Axelrod and others |3l4j . 
This theory studies how games of multiple 
rounds differ from single-round games, and it 
has turned out to have significant explanatory 
power in applications from ethology to 
economics. 



We now formalise a model in which a game 
is played with a number of rounds. Each round 
consists of attack followed by recovery. Recov- 
ery in turn consists of two phases: replenish- 
ment and adaptation. 

In the attack phase, the attacker destroys 
a number of nodes (or, in a variant, of edges); 
this number is his budget. He selects nodes for 
destruction according to some rule, which is his 
strategy. For example, he might at each round 
destroy the ten nodes with the largest number 
of edges connected to them. He executes this 
strategy on the basis of information about the 
network topology. 

In the replenishment phase, the defend- 
ing nodes recruit a number of new nodes, and 
go through a phase of establishing connections 
- again, according to given strategies and in- 
formation. 

In the adaptation phase, the defending 
nodes may rewire links within each connected 
component of the network, in accordance with 
some defensive strategy. The adaptation phase 
is applied once at the start of the game, 
before the first round of attack; thereafter the 
game proceeds attack - replenish - adapt. 

An attack strategy is more efficient, for a 
given defense strategy, if an attacker using it 
requires a smaller budget to disrupt the net- 
work. Similarly, a defense strategy is more ef- 
ficient if, for a given attack strategy, it com- 
pels the attacker to expend a higher budget 
to achieve network disruption. (We will clarify 
this later once we have presented and discussed 
a few simulations.) 

We assume initially that the attacker has 
perfect information about the network topol- 
ogy, and that her goal is simply to partition 
the network - that is, divide it into two or 
more nontrivial disjoint components. We as- 
sume that the defender has only local informa- 
tion, that it, each node shares the information 
available to those nodes with which it is con- 
nected. Thus, for example, if the attacker man- 
ages to split the network into two components, 
there is no way for them to reconnect. We also 
start off by assuming that the defence strategy 
affects only the adaptation phase, as only once 
nodes have connected to a network can they be 
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programmed to follow it; so the replenishment 
phase is exogenous. 

A further initial assumption is that the at- 
tack and defence budgets are roughly equal. By 
this we will mean that for each node destroyed 
in the attack phase, one node will be replaced in 
the resource addition phase. Thus the network 
will neither grow or shrink in absolute size and 
we can concentrate on connectivity effects. We 
will discuss other possible assumptions later, 
but the static budgets and global attack / lo- 
cal defence assumptions will get us started. 

5 Defence Evolution - First Round 

To analyse the vulnerability of a network, the 
selection of network elements (nodes or edges) 
destroyed in each round is the attacker's 
choice and constitutes her strategy. The 
attacker wishes to maximize the network 
damage caused per unit of work. 

We will start off by considering a static at- 
tacker, using what we know to be a reason- 
able attack (vertex-order), and examine how 
the defence strategy can adapt. Then we will 
see what better attacks can be found against 
the best defence we found. Then we will look 
for a defence against the best attack we found 
in the last round, and so on. There is no guar- 
antee that the process converges - there may 
be a specialised attack that works well against 
each defence, and vice versa - but if evolution- 
ary games on networks behave like more tra- 
ditional evolutionary games, we may expect to 
find some strategies that do well overall, as 'tit 
for tat' does in multi-round prisoners' dilemma. 
We may also expect to gain useful insights in 
the process. 

5.1 Defense strategy 1 — random 
replenishment 

Our first defensive strategy is the simplest of 
all, and is one of the naive defences introduced 
in the above section. New nodes are joined to 
the graph at random. We assume that each at- 
tack round removes r nodes, and the replenish- 
ment round adds exactly r nodes, each of which 
is joined to the surviving vertices with proba- 
bility p. r remains constant for each run of the 



simulation, while p increases from k/(N — r) 
to k/{N — 1) as the replenishment proceeds. In 
this strategy, the defender does nothing in the 
adaptation phase. 

This models the case where new recruits to 
a subversive network simply contact any other 
subversives they can find; no attempt is made 
to reshape the network in response to the cap- 
ture of leaders but the network is simply al- 
lowed to become more amorphous. 

5.2 Defense strategy 2 — dining 
steganographers 

Our second defensive strategy is more 
sophisticated, and is inspired by the theory of 
anonymous communication as developed by 
computer scientists, most notably Chaum jTUj. 
A node that acquires a high vertex order, and 
thus could be threatened by a vertex-order 
attack, splits itself into n nodes, arranged in a 
ring. The rings have two functions. First, they 
provide resilience: a ring broken at one point 
still supports communications between all its 
surviving nodes, and it is the simplest such 
structure. Second, nodes can route covert 
traffic between appropriate input and output 
links, and use encryption and other 
information-hiding mechanisms to conceal the 
traffic. This model was originally presented in 
Chaum's seminal 'dining cryptographers' 
paper cited above, so we might refer to it 
as the 'dining steganographers'. The 
collaborating nodes in each ring cannot 
conceal the existence of communication 
between them, as the cover traffic is visible to 
the attacker. However, from the attacker's 
viewpoint it is not obvious that these n nodes 
are acting virtual supernode. 

Our focus here is on the effects of network 
topology, rather than on the higher-layer mech- 
anisms that actually implement the covertness 
property and that provide any confidentiality 
of content or of routing data. We assume a 
world in which there is sufficient encrypted traf- 
fic (SSL, SSH, DRM, . . . ) that encrypted traffic 
is not of itself suspicious so long as it is wrapped 
in a common ciphertext type. The attacker's 
input consists of traffic data collected from the 
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backbone or from ISPs, and her output con- 
sists of decisions to send police officers to raid 
the premises associated with particular IP ad- 
dresses. Her problem is this: given an observed 
pattern of communications, whom should she 
investigate first? 

The precise mechanism of ring formation in 
our simulation is as follows. A vulnerable node 
decides to create a ring and recruits for the 
purpose a further n — 1 nodes from the new 
nodes introduced in the most recent replenish- 
ment round, or, if they are inadequate, from 
among its immediate neighbours. Existing ring 
members cannot be recruited, so rings may not 
overlap. Finally, recruits to a ring relinquish 
any existing links with the rest of the network, 
and the ring-forming node shares its external 
links uniformly among all the members of the 
ring. 

5.3 Defense strategy 3 — revolutionary 
cells 

Our third defensive strategy is inspired by 
cells of revolutionaries, along the model 
favoured historically by a number of insurgent 
organisations. A node that acquires a high 
vertex order splits itself into n nodes, all 
linked with each other, with the previous 
outside connections split uniformly between 
them. In graph-theoretic language, each 
supernode is a clique. 

As in ring formation, a node that considers 
itself vulnerable is allowed to split itself into a 
clique of nodes. The new nodes are drawn either 
from the pool of new nodes, or, if they are insuf- 
ficient, from low- vertex-order neighbours of the 
clique-forming node. As before, this node's ex- 
ternal edges are distributed uniformly among 
members, while other member nodes' former 
external edges are deleted. 

Simulations — first set For our first set of 
simulations, we consider a scalefree network of 
N = 400 nodes. We use a Barabasi- Albert net- 
work created by the following algorithm: 

1. Growth: Starting with uiq = 40 nodes, at 
each round we add m = 10 new nodes, each 
with 3 edges. 



2. Preferential Attachment: The probability 
that a new node connects to node i is 
n(ki) = ki/J2jkj where ki is the degree 
of node i. 

Having created the scalefree network, we 
then ran each of the above defensive strategies 
against a vertex-order attack. 

Results The results of the initial three simu- 
lations are given in Figure [5J 
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Fig. 2. Vertex order decapitation attack in 
rings, cliques and with no adaptation 

The red graph in Figure [2] provides a cali- 
bration baseline. As seen in the above section, 
random replenishment without adaptation is 
ineffective: within three rounds the size of the 
largest connected component has fallen by a 
half, from 400 nodes to well under 200. 

The green graph shows that rings give 
only a surprisingly short-term defence benefit. 
They postpone network collapse from about 
two rounds qto about a dozen rounds. 
Thereafter, the network is almost completely 
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disconnected. In fact, the outcome is even 
worse than with random replenishment. 

Cliques, on the other hand, work well. A 
few vertices are disconnected at each attack 
round, but as the cyan graph shows, the net- 
work itself remains robustly connected. This 
may provide some insight into why, although 
rings have seemed attractive to theoreticians, 
those real revolutionary movements that have 
left some trace in the history books have used 
a cell structure instead. 



6 Attack Evolution — First Round 

Having tried a number of defence strategies and 
found that one of them - cliques - is effective, 
the next step is to try out a number of at- 
tack strategies to see if any of them is effective 
against our defences, and in particular against 
cliques. 

Of the attack strategies we tried against a 
clique defence, the best performer is an attack 
based on centrality. We used the centrality 
algorithm of Brandes [B] to select the 
highest-centrality nodes for destruction at 
each round. As before, our calibration baseline 
is random replenishment. For this, the red and 
black graphs show performance against 
vertex-order and centrality attacks 
respectively. Both are equally effective; within 
two or three rounds the size of the largest 
connected component has been halved. 

The green and blue graphs show that the 
same holds for rings: the network collapses 
completely after about a dozen rounds. 
Centrality attacks are very slightly more 
effective but there is not much in it. 

The most interesting results from these 
simulations come from the magenta and cyan 
graphs, which show how cliques behave. Cyan 
shows, as before, a vertex-order attack with 
severity m = 10 being ineffective against a 
clique defence. Magenta shows the effect on 
such a network of a centrality attack. Here the 
largest connected component retains about 
400 nodes until the network suddenly 
partitions at 14 rounds, whereafter a 
largest-component size of about 200 is 
maintained stably. 



Vertex-order and Centrality attack 
with Rings and Cliques 
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Fig. 3. Rings and Cliques defense under vertex 
order and centrality attacks 
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Centrality attack 
with Rings and Cliques 



o 



CO 

o 



CM 
O 



O 
O 




n 1 1 r 

10 15 20 25 30 
Rounds 



Centrality attack, No adaptation 
Centrality attack, Rings 
Centrality attack, Cliques 



Fig. 4. Average inverse geodesic lengths of 
rings and clique adaption, under centrality at- 
tack 



Some insight into the internal mechanics 
can be gleaned from Figure 0J This shows the 
average inverse geodesic length. For each 
node, we find the length of the shortest path 
to each other node, and take the inverse (we 
take the length to be infinite, and thus the 
inverse to be zero, if the nodes are in disjoint 
components). We average this value over all 
n{n — l)/2 pairs of nodes. This value falls 
sharply for defense without adaptation, and 
falls steadily for defense with rings. These falls 
reflect increasing difficulty in internode 
communication. With cliques, the vertex-order 
attack has little effect, while the centrality 
attack makes steadily increasing progress on a 
graph of 400 vertices, until it achieves 
partition and reduces the largest component 
to about 200 vertices. But it makes only slow 
progress thereafter. 

6.1 Clique sizes 

We next ran a simulation comparing how well 
defense works when using different sizes of rings 
and cliques. Ring size appears to make little dif- 
ference; rings are just not an effective defence 
other than in the very short term. However, 
varying the clique size yields the results dis- 
played in Figure |SJ 

This shows that under a centrality attack, 
the performance of the defense increases 
steadily with the size of the clique. There is 
still a phase transition after about 14 rounds 
or so after which the largest connected 
component becomes significantly smaller, but 
the size of this equilibrium component 
increases steadily from about 150 with clique 
size 8 to almost 300 at clique size 20. 



7 Defence Evolution Second 
Round 

Now that we know centrality attacks are power- 
ful, we have tried a number of other possible de- 
fences. The most promising at present appears 
to be a compound defence based on cliques and 
delegation. 

The idea behind delegation is fairly 
simple. A node that is becoming too 
well-connected selects one of its neighbours as 
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a 'deputy' and connects it to a second 
neighbour, with which it then disconnects. 
This reflects normal human behaviour even in 
peacetime: busy leaders pass new recruits on 
to colleagues. In wartime, and with an enemy 
that might resort to vertex-order attacks, the 
incentive to delegate is even greater. Thus a 
terrorist leader who gets an offer from a 
wealthy businessman to finance an attack 
might simply introduce him to a young 
militant who wants to carry one out. The 
leader need now maintain communications 
with at most one of the two. 

Delegation on its own is rather slow; it takes 
dozens of rounds for delegation to 'immunise' a 
network against vertex-order attack. If a vanilla 
scale-free network is going to be exposed to ei- 
ther a vertex-order or centrality attack from the 
next round, then drastic action (such as clique 
formation) is needed at once; else it will be dis- 
connected within two or three rounds. Slower 
defences like delegation can however play a role, 
provided they are started from network forma- 
tion or a reasonable time period (say 20 rounds) 
before the attack begins. 

It turns out that the delegation defence, 
on its own, is rather like the rings of dining 
steganographers. Network fragmentation is 
postponed (about 14 rounds with the 
parameters used here) though not ultimately 
averted. 

What is interesting, however, is this. If we 
form a network and immunise it by running the 
delegation strategy, then run a clique defence 
as well from the initiation of hostilities, this 
compound strategy works rather better than 
ordinary cliques. Figure shows the simulation 
results. 

Figure [7| may give some insight into the 
mechanisms. Delegation results in shorter path 
lengths under attack: it postpones and slows 
down the growth of path length that otherwise 
results from hub elimination. As a result, equi- 
librium is achieved later, and with a larger min- 
imum connected component. 



Fig. 5. Clique recovery with different clique 
sizes under a centrality attack 



8 Conclusions and Future Work 

In this paper, we have built a bridge between 
network science and evolutionary game theory. 
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Fig. 6. Component size: clique, immunization 
by delegation, and combined clique and delega- 
tion defenses against centrality attack 



Fig. 7. Clique, immunization by delegation, 
and combined clique and delegation defenses 
against centrality attack 
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For some years, people have discussed 
what sort of communications topologies might 
be ideal for covert communication in the 
presence of powerful adversaries, and whether 
network science might be of practical use in 
covert conflicts - whether to insurgents or to 
counterinsurgency forces |5I18| . Our work 
makes a start on dealing with this question 
systematically. 

Albert, Jeong and Barabasi showed that al- 
though a scalefree network provides better con- 
nectivity, this comes at a cost in robustness - an 
opponent can disconnect a network quickly by 
concentrating its firepower on well-connected 
nodes. In this paper, we have asked the logical 
next questions. What sort of defence should be 
planned by operators of such a network? And 
what sort of framework can be developed in 
which to test successive refinements of attack, 
defense, counterattack and so on? 

First, we have shown that naive defences 
don't work. Simply replacing dead hubs with 
new recruits does not slow down the attacker 
much, regardless of whether link replacement 
follows a random or scale- free pattern. 

Moving from a single-shot game to a re- 
peated game provides a useful framework. It 
enables concepts of evolutionary game theory 
to be applied to network problems. 

Next, we used the framework to explore two 
more sophisticated defensive strategies. In one, 
potentially vulnerable high-order nodes are re- 
placed with rings of nodes, inspired by a stan- 
dard technique in anonymous communications. 
In the other, they are replaced by cliques, in- 
spired by the cell structure often used in rev- 
olutionary warfare. To our surprise we found 
that rings were all but useless, while cliques 
are remarkably effective. This may be part of 
the reason why cell structures have been widely 
used by capable insurgent groups. 

Next, we searched for attacks that work 
better against clique defences. We found that 
the centrality attack of Holme et al does 
indeed appear to be more powerful, although 
it can be more difficult to mount as evaluating 
node centrality involves knowledge of the 
entire topology of the network. Centrality 
attacks may reflect the modern reality of 



counterinsurgency based on pervasive 
communications intelligence and, in 
particular, traffic analysis. 

Now we are searching for defences that work 
better against centrality attacks. A promising 
candidate appears to be the delegation defence, 
combined with cliques. This combination may 
in some ways reflect the reported 'virtualisa- 
tion' strategies of some modern insurgent net- 
works. 

Above all, this work provides a systematic 
way to evolve and test security concepts relat- 
ing to the topology of networks. Clearly the 
coevolution of attack and defense can be taken 
much further. Further work includes testing: 

1. networks that grow or shrink, maybe with 
endogenous replenishment (current recruit- 
ment a function of past operational success) 

2. imperfectly informed attackers, such as po- 
licemen who have access to the records of 
some but not all phone companies or email 
service providers, or who must use purely 
local measures of centrality 

3. perfectly informed defenders, who can co- 
ordinate connectivity globally 

4. budget tradeoffs - for example, a defender 
might be able to hide specific edges but only 
at some cost to his replenishment budget 

5. heterogeneous networks, with 
subpopulations having different robustness 
preferences 

6. dynamic strategies that detect opponents' 
strategies and respond 

7. different attacker goals. For example, some 
say that the Iraqi rebel leader Al-Zarqawi 
is not bin Laden's subordinate but his com- 
petitor. So an attack objective might be 
not just partition, but to divide the opposi- 
tion into groups of less than a certain size. 
When attacking an ad-hoc sensor network, 
the goal might be to reduce the effective 
bandwidth, and there might be interaction 
with routing algorithms. 

Preliminary though it is, we suggest that 
this work has broad potential applicability - 
from making the Internet more resilient against 
natural disasters and malicious attacks, to the 
question of how best to disrupt (or design) sub- 
versive networks. 



11 



Acknowledgements: We have had useful 
feedback on an early versionq of this paper 
from Albert-Laszlo Barabasi, Mike Bond, 
George Danezis, Karen Sparck Jones and 
Chris Lesniewski-Laas. The first author was 
supported by a scholarship from the Gates 
Trust. 

References 



10. 



11. 



12. 



13. 



14. 



15. 



16. 



21. 



22. 



23. 



R Albert. AL Barabasi, "Statistical Mechanics of 
Complex Networks" , Reviews of Modern Physics 
74 (2002) 47 

R Albert, H Jeong, and AL Barabasi, "Error and 
attack tolerance of complex networks" in Nature 
v 406 (2000) pp 387-482 

R Axelrod, "The Evolution of Cooperation" Basic 
Books, New York (1984) 

R Axelrod, "The Complexity of Cooperation" 
Princeton University Press (1997) 
C Ballester, A Calvo-Armengol and Y Zenou, 
"Who's Who in Crime Networks - Wanted the 
Key Player", IUI Working Paper Series 617, 
The Research Institute of Industrial Economics 
(2004). 

AL Barabasi, R Albert, "Emergence of scaling 
in random networks", in Science v 286 (1999) pp 
509-512 

B Bollobas, 'Random Graphs', Academic Press 
(1985) 

U Brandes, "A Faster Algorithm for Betweenness 
Centrality", J. Math. Soc. 25(2) (2001) pp 163- 
177 

PJ Carrington, J Scott, S Wassermann, 'Models 
and Methods in Social Network Analysis', Cam- 
bridge University Press (2005) 
D Chaum, "The Dining Cryptographers Prob- 
lem: Unconditional Sender and Recipient Un- 
traceability" , in Journal of Cryptology v 1 (1989) 
pp 65-75 

P Erdos, A Renyi, "On Random Graphs", in 
Publicationes Mathematicae v 6 (1959) pp 290- 
297 

LC Freeman, "A set of measuring centrality 
based on betweenness", in Sociometry v 40 
(1977) p 35-41 

MO Jackson, "A Survey of Models of Network 
Formation: Stability and Efficiency" A, in Group 
Formation in Economics: Networks, Clubs, and 
Coalitions, edited by Gabrielle Demange and 
Myrna Wooders, Cambridge University Press. 
VE Krebs, "Mapping Networks of Terror- 
ist Cells", in Connections v 12 no 3; at 
http : //www. locative .net /tcmreader/ index .php?mapping; krebs 
P Holme, BJ Kim, CN Yoon, and SK Han, 
"Attack Vulnerability of Complex Networks" in 
Phys. Rev. E v 65 art. no. 018101, 2002 
S Milgram, "The Small World Problem" , in Psy- 
chology Today v 2 (1967) pp 60-87 



17. MEJ Newmann, "Structure and Function of 
Complex Networks", SI AM Review 45 (2003) pp 
167-256 

18. MK Sparrow, "The Application of Network 
Analysis to Criminal Intelligence: An assessment 
of the prospects", in Social Networks v 13 (1990) 
pp 253-274 

19. N Thompson, "The Network Effect - Why 
Senegal's bold anti-AIDS program is work- 
ing", in The Boston Globe January 5, 2003; at 

http: //www. newamerica.net/ index. cfm?pg=article&DocID=1092 

20. S Wassermann, K Faust, 'Social Network Analy- 
sis', Cambridge University Press (1994) 
DJ Watts, 'Six Degrees: The Science of a Con- 
nected Age', Norton, New York (2003) 
DJ Watts, SH Strogatz, "Collective Dynamics of 
Small- World Networks", in Nature v 393 (1998) 
pp 440-442 

LA Zhao, KH Park, YC Lai, "Attack vulnerabil- 
ity of scale-free networks due to cascading break- 
down", in Physical review E v 70, 035101 (R), 
2004 



12 



Vertex-order attack 
with naive replenishment 




- °°oooooooo^ 



i i i i i i r 

5 10 15 20 25 30 



Rounds 



— ©— No replenishment 

Random replenishment 
A Scalefree replenishment 



